GDPR: What schools need to know in 2018

Breadcrumb

Darren Rose CIPP/E, who is currently Schools Compliance Advisor (Data Protection) at OSMIS Education, offers his guidance on GDPR within schools.

The General Data Protection Regulation (GDPR) is a European law which comes into effect on the 25th May 2018 and is the culmination of 4 years of deliberation on the changes of technology since the current data protection directive 1995 was enacted, as well as possible future technologies. If you consider that in 1995 we had Ceefax, telephone boxes, no internet (other than the academic JANET network) and no social media, many things have changed, not least the reliance on sharing personal information for banking, e-commerce and social interaction thereby greatly increasing the potential risk to the individual.

The Information Commissioner (Elizabeth Denham), in her recent video “GDPR for the boardroom”, confirms that the GDPR is a change of a generation and requires your organisation to demonstrate that data protection is a corner stone of your policies and practices otherwise you will leave yourself open to enforcement action.

A key part of the legislation is that of accountability through a comprehensive framework including mandatory documented policies, procedures and records within your school.

Overview of critical changes.

Comes into effect on 25 May 2018

Fines of up to €20 Million (or 4% of global turnover)

New subjects’ right to compensation

New specific consent with evidence and rights to withdraw consent

New subject right to be forgotten (deletion)

1 Month for subject access requests with charges removed

Mandatory privacy impact assessments

Mandatory documentation of compliance

Mandatory breach notifications within 72 hrs of discovery

Whilst I have listed fines the ICO has confirmed that this is not the full extent of the GDPR’s powers. There are levels of non-monetary fines available to the ICO including undertakings and enforcement notices, which will be considered for organisations who have demonstrated a privacy culture within their school but have experienced a data breach.

What schools should be focusing on/ reviewing

Whilst there is still ongoing discussion regarding mandatory appointments of a Data Protection Officer (DPO) within education, schools should still act now. And while local authorities are still establishing what services they can provide to schools within their authority, as well as awaiting confirmation of definitive accreditation guidance from the ICO, there are certain tasks, such as staff training and identification of personal data within your school, which can be completed prior to the confirmation of the status or need for a DPO.

How does a Chief Privacy Officer differ from a Data Protection Officer?

The ICO has stated that in the absence of a data protection officer, or a position where there is not a mandatory requirement for appointment, an organisation should nominate an individual as a single point of contact. This single point of contact should support peers in data protection issues, oversee the data privacy culture, report any issues to senior management and escalate issues to an external data protection officer if required. The position does not have any job title or job description as it is not legally required, rather guidance for best practice. However, some organisations are using the role of Chief Privacy Officer. As this role is not a statutory requirement, any individual can be nominated including roles which have previously been barred from the newly defined position of Data Protection Officer due to a possible conflict of interest i.e. Head of IT, Head of HR or a member of the executive.

Reducing cost by implementing the 95% model

A model appears to be developing within education known as the 95% model. This basically describes a model in which the majority of functions will be performed by individuals, under the guidance of the school chief privacy officer (CPO), within the school with a light touch approach from either an internal DPO or an outsourced DPO service (the remaining 5%). This model not only reduces costs but also ensures an ongoing privacy culture develops and continues to be the corner stone of data protection within the school into the future.

Using a culture to address “The human factor”

According to the International Association of Privacy Professionals (IAPP) the most common privacy breaches happen when data is stolen, lost or mistakenly disclosed. What is needed is an environment, or “culture”, where protecting data privacy is top of the mind of every staff member whenever that person handles personal information – a privacy culture.

A privacy culture is best implemented through awareness, training and support of all staff within your school who may handle personal data.

Another key element of a privacy culture should be that of adequate technological and physical security of hardware and electronic or hard copies or personal data including backups, antivirus software, critical updates to operating systems, securing critical servers and filing cabinets.

A key principle of a good data management is CIA: Confidentiality, Integrity (also known as accuracy) and Accessibility, in so much that increased accessibility, with adequate security (Confidentiality), will ensure the Integrity of the data whilst providing the best data security.

Some real-world examples of this could be your MIS system or school network. If you increase their accessibility, either within the school network or via remote access, you remove the need for potentially insecure printouts, USB sticks containing temporary backups and insecure transmission via email, therefore greatly reducing the risks involved with handling that personal data.

Responsibilities of the school & what they can do to comply

Identify the resources you already have access to, either internal or external, via an existing support contract. Utilise this existing resource to its full potential to reduce costs and impact on your school. This could be in the form of fully utilising the capability of your MIS system, school networks and IT hardware which you have already invested in over the years.

Appoint a chief privacy officer (CPO) to be a single point of contact within the school, provide peer support, signpost colleagues to training and support and provide updates on progress and key issues to the head and governing body.

Assign a team to support the CPO and to ensure all data is included which could possibly include the school business manager (for supplier contracts, staff contracts and admin data), IT (for hardware audits, network security, backups, antivirus and OS updates), SENCO (for identification of data held on some of the most vulnerable groups) and a member of the SLT team, if not already one of the positions mentioned.

Create a group to allow collaboration with other schools within your family or cluster to provide peer support, share best practice and provide procurement benefit through economy of scale.

Top tips

The ICO website has a wealth of useful resources including tools, myth buster videos, training materials and updates on the new Data Protection Bill.

In all training and procedures, it should be emphasised that data privacy should never trump safeguarding policies. The ICO data sharing checklist even specifies a condition for sharing data as “If there is a risk to an individual, or society, of sharing or not sharing the information”.

Be proactive in engaging parents to create a positive perception of data privacy, instil confidence in parents and reduce the likelihood of subject access requests, through communications via either a letter home or handouts ready in school reception areas.

Follow the same methodology as you have used in the past to implement a safeguarding culture and fulfil the safeguarding accountability framework, including training, new staff induction procedures, school policy, communication and documentation to prove compliance.

It will take time to implement a privacy culture, just as your current safeguarding environment didn’t simply happen overnight. By encouraging everyone involved to play an active role in the process and understand its benefits as well as the pitfalls, tackling GDPR compliance doesn’t need to be a challenge or a burden.

Comments

Yvonne Hawker (not verified)

Tuesday, 16 January 2018, 12:23

How do we address the problem of 'how long data is stored'? My understanding is that we should not keep records after an ex-pupil has turned age 25 but in SIMs "it is not possible to delete a pupil if they have any of the following details recorded against them:
1. Examination entries
2. Education Maintenance Allowance
3. Connexions record"
Is this legal and, if not, do you intend to introduce an upgrade to allow the deletions? I would be interested to know if this has been raised by other schools.
Many thanks

Paul Featherstone

Thursday, 18 January 2018, 9:01

Hi Yvonne,

Many thanks for your comment - we're planning to deliver in the Summer Release a bulk delete of data for students. I.e., for a group of students, for a specified time frame, if they are a leaver, please delete all behaviour records. There is then the ability to remove achievements, detentions and so on, until all you are left with is the core pupil record, which can then be deleted, therefore leaving no record of those students.

Alison Meehan (not verified)

Friday, 23 February 2018, 13:20

How can we delete staff as the delete staff in routines doesn't work as all staff will have some sort of data attached as that's why they are on there. Surely we have to delete staff who have left over 7 years ago?

Andy Gardner

Monday, 26 February 2018, 9:55

Hi Alison, many thanks for getting in touch - for the best advice, please call our Service Desk on 0845 607 6275; this is a direct line to the finance team, but they also deal with personnel so they should be able to guide you. Hope this is ok - if there's anything else we can do to help, please feel free to let me know - many thanks, Andy, Capita SIMS.

Simon Pert (not verified)

Lucy Owen (not verified)

Wednesday, 14 March 2018, 12:00

When we send students on trips outside of school hours, we have to obtain specific consent from parents. Other schools state that when a parent makes a payment for the trip they are giving their consent for their child to go on the trip. Is this the case?

Steve Phillips (not verified)

Wednesday, 21 March 2018, 9:01

By default, most SIMS users have excessive access rights - ie. above and beyond what could be deemed necessary to do their job. Are Capita likely to be addressing this or is it up to the school to reduce access levels? This is going to be a major job for some schools, determining what is necessary and what is over the top. Thanks

Angela Cavendish (not verified)

Thursday, 22 March 2018, 7:06

Regarding the use of student photographs on social media and newspapers to promote a school's progress or certain events, if the school has something written into it's use of data policy which advises people of this use and invites people to tell the school if they object to such use is this enough?

David Simpson

Monday, 26 March 2018, 12:11

Hi Lucy, many thanks for getting in touch - in terms of capturing consent, that's entirely down to the individual school. However, we do provide a number of tools to facilitate this, for example SIMS Agora payments for school trips can capture this while SIMS Activities and SIMS Parent app can capture interest or participation acceptance for extracurricular activities.

Paul Featherstone

Monday, 26 March 2018, 14:47

Hi Steve,

Many thanks for your comment. It is the responsibility of the school's data controller to determine what access a user has to the data held on individuals, whether this is in a MIS system or a computer network.

SIMS provides default system permission groups defined by a role in the school, for example a Registration Tutor, Special Educational Needs Coordinator or Personnel Officer. These groups can be adopted by the school if they like, but they are responsible for ensuring they suit their school's needs and if not, they are able to customise their own SIMS permission groups to their needs.

David Rothery (not verified)

Monday, 16 April 2018, 22:59

In relation to backups/archives of both SQL and DMS data, how do we decide on how long we keep backups of our SIMS/FMS data? Since even with a bulk delete of data, it will only apply to the current/live database and DMS!

Paul Featherstone

Wednesday, 18 April 2018, 8:57

Thank you for your comment, Capita are not in a position to make specific retention period recommendations for your SQL and DMS backups. You are right that the forthcoming changes to SIMS in the summer to support data retention will only delete the data from the live SQL database.

Tania Dynowska (not verified)

Craig (not verified)

Wednesday, 25 April 2018, 9:37

We are currently writing our new Privacy notice for pupils and families. We are listing a section of third party companies who er share data with i.e we use Google Education, we also also then list that we are sharing pupils names and year groups with them.

As we are using SIMS to capture personal data and this is a third party to the school do we need to list sims on the privacy notice and all the data fields it holds

Andy Gardner

Thursday, 26 April 2018, 14:17

Hi Sue, Tania and Craig - if you are currently SIMS customers, you can log on to My Account and access our GDPR FAQs page, where your question may already have been answered. If not, please submit your question to the FAQ page for a response. The FAQ page can be accessed here: https://myaccount.capita-cs.co.uk/Notifications/GDPR-Questions-Answered…. Many thanks, Andy, SIMS Marketing.

Ruth Bishop (not verified)

Friday, 4 May 2018, 22:37

Hi
I just wondered if pupil's SIMs recorded "Racist Incident" summaries and "markers "are subject to the GDPR in terms of suggested retention periods and possible rectification ( full
background/ context added possibly later ) or even full erasure if deemed to be non-racially motivated on conclusion of the schools own investigation.
Many Thanks
Concerned Teaching Staff

Richard (not verified)

Tuesday, 8 May 2018, 10:51

Good morning
We have always used email as a method to communicate. Therefore we have lots of emails on the system which contain information about pupils. This goes back quite a number of years. We used Office 365 as our email system. I just wondered where we stand regarding GDPR. How are others managing this?
Many thanks
Richard

Andy Gardner

Wednesday, 9 May 2018, 8:57

Hi Richard, many thanks for getting in touch - if you're a SIMS customer, you can check out the GDPR FAQ page on My Account to see if your query has been looked into before. The page can be found here: https://myaccount.capita-cs.co.uk/Notifications/GDPR-Questions-Answered-from-Customers-of-SIMS. If your query has yet to be answered, you can post it to the FAQ page where a member of our team can look into it for you. I hope this is ok - if there's anything else we can do to help, please let me know. Many thanks, Andy, SIMS Marketing.

kirsty (not verified)

Paul Featherstone

Wednesday, 15 August 2018, 9:48

Thanks for your comment on GDPR, sending home a paper report needs to be treated with the same care and consideration as anything you send home with personal data, now or in the past, paper or electronic. GDPR does not prohibit the process of sending out paper reports, but schools should be aware of the risks and mitigate these as much possible.

Leena (not verified)

Andy Gardner

Tuesday, 20 November 2018, 9:53

Hi Nuala, many thanks for getting in touch - so I can get the most accurate response for you, could you please let me know which issue in this chain that you're looking for a solution to? In the meantime, there might be something if use on MyAccount, if you have a login for the site? Many thanks, Andy.

David Simpson

Tuesday, 20 November 2018, 11:52

Hi Alison, many thanks for getting in touch. Email messages sent by SIMS InTouch are encrypted in flight and at rest.

The more pressing consideration for schools regarding GDPR is, on the basis that communications sent via InTouch can be of a sensitive nature, careful consideration should be given to report output prior to sending a message.

You should be mindful of your school’s responsibilities with respect to information security. It is your school's responsibility to ensure that:

▪ fair processing notices inform parent/carers that email will be used to communicate important information.

▪ email addresses recorded in SIMS are accurate and up-to-date

▪ court orders are recorded promptly and accurately to ensure that barred contacts do not receive emails about a child.

▪ email addresses are not entered 'on the fly' when selecting the recipients of a message, to reduce the risk of a message being sent to the wrong person.

Paul Featherstone

Wednesday, 21 November 2018, 14:42

Hi Leena - on the subject of pupil photos and from a point of view of GDPR, it’s not Capita’s decision on whether the school can or cannot. It will be the decision of the data controller at the school. Specific advice should be sought by the ICO or data management team in your MAT or local authority.

Carla Hollings (not verified)

Tuesday, 27 November 2018, 3:59

Hello Paul.

Are schools still allowed to use “blanket” consent forms for school trips and inform parents of each trip prior to its taking place or due to GDPR are separate consent forms required before EVERY trip now required?

Paul Featherstone

Many thanks for your comment - I've been in touch with Darren, who wrote this blog, who has provided us with the following response: -

There is a difference between parental consent for school trips and consent to process personal data.

In terms of a school trip and parental consent, yes it is OK for a blanket consent and then individual parental consent for each trip.

In terms of consent to process personal data for a school trip I.e. medical records for a residential trip. This must be done for each trip.

Some schools have added a paragraph to the school trip consent form called sharing of personal data, in which they have detailed the data to be shared and the name of the company running the establishment with assurance it will only be used for the purposes of safeguarding during the trip and not retained beyond the school trip.

The parents are then informed "by signing this form you give parental consent and consent to your child's personal data being shared with the parties as outlined in the personal data paragraph of this form".

Please refer to your school's data protection officer for the full correct wording within the data protection paragraph and declaration prior to use.

I hope this answers your query - if there's anything else we can do to help, please let us know.